Managing the Risk of new Ransomware Threats and their Business Impact
PUBLISHED IN MODERN LAW – JANUARY 2017, By Mike Batters, Legal IT Specialist
As new ransomware strains emerge every week, how do we effectively manage the potential business impact of these threats?
The threat of ransomware is constantly evolving with rapidly changing methods of both targets and encryption. Two recently evolved strains (at the end of 2016) have gone beyond targeting traditional Word Documents, Excel Spreadsheets & PDF documents, as has been common to date.
One specific emerging strain, named Mamba, is utilising whole disk encryption technology to encrypt both Operating System and data, thereby preventing users from starting up clients or servers. A Bitcoin ransom then follows to get the decryption code and be in a position to recover the system to an operational state.
A second variant of ransomware, referenced as Cerber, now targets database servers such as, Microsoft SQL, MySQL & Oracle, first killing the database server process and then encrypting the actual database files.
In both these situations, organisations are exposed to very significant risks. Both data loss and operational disruptions are highly likely to occur and by affecting core databases or whole servers, these issues are far more likely to impact the entire organisation for a longer period of time, therefore increasing costs incurred.
So – putting this in to perspective and giving you an example of what this means; A database server is hit by ransomware at 1pm which hosts the core business services such as its CRM, case management or Process Management tools. The whole machine is encrypted, everyone involved within the business immediately loses the ability to work effectively, whilst the business operation, the client experience and sales revenue are each severely affected.
There are two choices at this point:
1. Pay the Bitcoin ransom, these are typically reported as being $1,000+ per affected server. There is no real guideline regarding time elapsed from payment through to the decryption key being released.
2. Restore the machine from backup – taking at least a few hours to complete (providing you have the necessary infrastructure in place which isn’t often the case) and in those that do – the backup taken will usually be from the previous night thereby involving 4-5 hours’ operational data loss. Simply put, work which needs to be repeated.
Neither choice is a good situation for any business to find itself in, being out of operation, paying out a ransom and/or losing data, then recreating work. Beyond these direct implications – customer, partner and supplier confidence needs to be considered, as competitors may potentially take advantage of the poor publicity you will subsequently receive.
The combined effects of any ransomware attack is a risk that legal firms simply cannot afford to take. Traditional anti-malware solutions have failed in protecting inbound e-mail and systems against the “new breed” next generation malicious cyber-attacks. However, and it’s a big ‘however’…. there are solutions out there that will protect your business over and above just traditional Anti-Virus. These include:
1. Proofpoint’s TAP (Targeted Attack Protection) technology has been proven to detect and stop e-mail borne threats over and over. Just last week 1667 UK customers were protected from such an attack as we’ve described above. It is unlikely others were so lucky.
2. Forcepoint’s Next Generation Firewall (NGFW) provides a unique resiliency, proven to block 100% of Advanced Evasion Techniques (AETs), which continue to evade other traditional firewall technologies.
3. SentinelOne uses an innovative approach to endpoint protection, including several layers of attack prevention to combat cyber attacks. Combined with other technologies, this software offers the potential of a comprehensive and robust protection strategy.
4. ReadyRECOVER’s Backup technology has been deployed in a number of Top 500 law firms across the UK by legal IT specialists NETprotocol – encompassing full backups every 15 minutes, on-site back up to disk plus offsite replication and native deduplication.
While prevention technologies are strategically important, no single defence is infallible and so data recovery remains vital. Traditional backup technologies run daily backups, once or twice per working day however the impact of rolling back to the previous close-of-business backup is too great.
The managed backup solution provided by NETprotocol can run full server, exchange and SQL database backups every 15 minutes with rapid restore functionality, so in the event of a ransomware attack the data loss involved in rollback is absolutely minimal – and the rollback process couldn’t be more quick or effective.
So to answer the question that so many IT professionals are asking today – it is most certainly possible to formulate an intelligent and resilient protection strategy which will keep your clients’ data safe as these new sophistciated strains of ransomware contiue to emerge. Yes – the right knowledge and expertise will be required – but it is also safe to say that the benefits and cost of doing this far outway the risks posed by ransomware attacks like Mamba or Cerber in the future.
For more information or advice on how to implement a resilient and effective strategy for keeping your IT systems and data secure, please contact NETprotocol on the details below: